Improving Security in Embedded Systems Felix Baum, Product Line Manager

Business Imperatives

Security Imperatives

“I need to keep my production expenses as low as possible.”

“How do I provide adequate security with limited resources?”

“My products operate in a number of different environments and verticals.”

“My devices require network connectivity for M2M communication.”

“How do I protect my devices from Internet-based attacks?”

How do I meet regulatory requirements specific to my industry?”

| © 2012 Wind River. All Rights Reserved. 3

The Challenge with Embedded Security

| © 2012 Wind River. All Rights Reserved. 4

Puerto Rico Electric Power Authority (PREPA)

Fiscal Year 2011 Financial Information Assets: $9.9B Revenue: $4.4B Net income: $706M Fitch bond rating: BBB+

“Individuals with only a moderate level of computer knowledge” “$400 tools and software readily available on the Internet” Weak authentication credentials; magnetic interference $300–$3,000/meter for hackers; lower utility bills for customers ~10% of smart meters in Puerto Rico

Bad Guys

Tools Used

Attack

Vectors

Financial Incentive

Affected Devices

2010 FBI Cyber-Intelligence Bulletin

PREPA: A House of Pain

Start with a Bottom-up Approach

| © 2012 Wind River. All Rights Reserved. 5

| © 2012 Wind River. All Rights Reserved. 6

RTOS Threats: Mitigation Strategies

§  Boot-time threats –  Trust –  Authentication

§  Run-time attacks –  Kernel –  User space –  Networking

Boot-Time Protection Strategy: Trust

§  Enable features offered by best-of-class silicon vendors, per specifications defined by Trusted Computing Group, to provide layered security from the moment power is applied.

| © 2012 Wind River. All Rights Reserved. 7

Boot-Time Protection Strategy: Authentication

§  Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated.

| © 2012 Wind River. All Rights Reserved. 8

Unsigned VxWorks Kernel Image

Boot ROM

Memory

LOAD

Boot-Time Protection Strategy: Authentication

§  Trusted boot ROM will not help if the OS that it loads has not been signed and authenticated.

| © 2012 Wind River. All Rights Reserved. 9

Unsigned VxWorks Kernel Image

Boot ROM

Memory

LOAD

Boot-Time Protection Strategy: Authentication

§  To authenticate the binary OS image we need to ask two questions.

| © 2012 Wind River. All Rights Reserved. 10

VxWorks Kernel Image Boot ROM

Memory

LOAD Did come from ? Is untampered?

OEM Inc.

Boot-Time Protection Strategy: Authentication

§  Public/private key pair

| © 2012 Wind River. All Rights Reserved. 11

OEM Inc.

Private

Public

Company Secret

Boot-Time Protection Strategy: Authentication

§  Binary signature

| © 2012 Wind River. All Rights Reserved. 12

Encrypt Signature Private

Unsigned VxWorks Kernel Image

Hash

10110011

OEM Inc.

Private

Signature Decrypt

Public 10110011

Boot-Time Protection Strategy: Authentication

§  Signed binary

| © 2012 Wind River. All Rights Reserved. 13

Signature

Signed VxWorks Kernel Image

Signature

Unsigned VxWorks Kernel Image Boot ROM

Boot ROM with Key

Public

Public

Boot-Time Protection Strategy: Authentication

§  Signed binary loading

| © 2012 Wind River. All Rights Reserved. 14

Signed VxWorks Kernel Image

Signature

LOAD

Memory

Signature

Decrypt

Public 10110011

Hash

10110011

Match?

Boot ROM with Key

| © 2012 Wind River. All Rights Reserved. 15

§  ISR/task stack overrun detection §  Heap usage tracking and leakage

detection §  Persistent storage of error

records §  Code corruption detection §  Null pointer usage detection §  Heap block overrun detection

Run-Time Protection Strategy: Kernel Hardening

| © 2012 Wind River. All Rights Reserved. 16

§  User space RTPs are containers for –  Code (text and data), stack, heap –  Tasks owned by this RTP –  Objects created by this RTP

§  They offer –  Memory protection for

•  Text •  Data •  Stack

–  Kernel isolation

Run-Time Protection Strategy: User Space

| © 2012 Wind River. All Rights Reserved. 17

§  Interoperability testing ‒  VPNC, IPv6 Forum Gold Logo host,

router, IPsec ‒  OpenSSL FIPS 140-2 run-time module

Run-Time Protection Strategy: Networking

§  Source code quality ‒  Coverity ‒  Unit test ‒  Diagnostics

§  Denial of service testing ‒  Nessus ‒  Satan

§  Protocol validation ‒  ANVL

§  Performance testing

§  Network robustness and cyber-attack testing ‒  Wurldtech Achilles certified

| © 2012 Wind River. All Rights Reserved. 18

Run-Time Protection Strategy: Networking

Wurldtech conducts a variety of Ethernet and TCP/IP-level and Vnet/IP protocol−level cyber attacks

| © 2012 Wind River. All Rights Reserved. 19

Monitoring §  Active monitoring of key lists for vulnerabilities applicable to supported

products Assessment/Prioritization §  Assessment and prioritization of vulnerabilities and response with an

initial acknowledgement within one day of receipt (for external source) §  Prioritization at High, Medium, Low, or Not Susceptible Notification §  Proactive notifications for VxWorks vulnerabilities that do apply at

Online Support (OLS) and external party (if applicable) §  Regular consolidated alerts for vulnerabilities that do not affect VxWorks

at OLS and external party (if applicable) §  Certain public disclosure restrictions for some vulnerabilities (e.g., cert) Remediation §  Posting and notification of patch; resolution on OLS and external party

(if applicable)

Security Response Flow Cert Customers

VxWorks Security Response Team (SRT) (each relevant engg group,

customer support)

Does Not Affect VxWorks

Consolidated OLS Notification

Applicable to VxWorks

Security Patch and OLS Notification

Proactive OLS Notification

Defect Filed

External security-alert@ windriver.com

Then take a step back to look at the big picture.

| © 2012 Wind River. All Rights Reserved. 20

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

Holistic Approach to Security

| © 2012 Wind River. All Rights Reserved. 21

Vulnerability Landscape

Cus

tom

er R

equi

rem

ents

W

ind River D

omain Expertise

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

| © 2012 Wind River. All Rights Reserved. 22

Vulnerability Landscape

§  Questions to Ask –  What are your product security

requirements? –  Does your product have flaws

that can be exploited? –  What specifications are

applicable to your end customer’s market segment?

–  What coding standards should you implement?

Security in the Design Phase

| © 2012 Wind River. All Rights Reserved. 23

§  Questions to Ask –  Has malicious code been

injected during your production process?

–  Has your product been tested against known attacks?

–  Can your testing show robustness against unknown attacks?

–  Does your code contain security holes?

Security in the Production Phase

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

Vulnerability Landscape

| © 2012 Wind River. All Rights Reserved. 24

§  Questions to Ask –  Did your code boot into a trusted

state? –  Is a newly loaded application

authorized to operate on your system?

–  Is your product protected against reverse engineering?

–  Is the “right thing” loaded on your product?

Security in the Deployment Phase

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

Vulnerability Landscape

Security in the Operation and Maintenance Phase

| © 2012 Wind River. All Rights Reserved. 25

§  Questions to Ask –  Did your software update

operation inject malicious code? –  Are your network transmissions

authentic and protected from unauthorized disclosure?

–  Is the private information in your product safe and secure?

–  Are users authenticated and provided the correct authorization to access your systems?

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

Vulnerability Landscape

| © 2012 Wind River. All Rights Reserved. 26

§  Questions to Ask –  Is your business-sensitive

information properly disposed of? –  Are your products remaining out

of service after their end of life? –  Are critical security parameters

being unenrolled after expiration?

Security in the Disposal Phase

DESIGN

PRODUCTION

DEPLOYMENT OPERATION

AND MAINTENANCE

DESTRUCTION / DISPOSAL

Vulnerability Landscape

Security Tools Throughout Life Cycle

| © 2012 Wind River. All Rights Reserved. 27

Design Production Deployment Operation

and Maintenance

Destruction/ Disposal

Secure Design Life Cycle Training Architectural Studies Industry-Specific Regulations and Certifications

Static Analysis Testing Custom OS Configurations Third-Party Integration Wurldtech Achilles™ Certification

Security Built into Every Step of the Product Life Cycle

Anti-tamper Design/Solution Secure Boot and Run-Time Application Signing Address Space Layout Randomization

Network Robustness/ Fuzz Testing Secure Upgrade Process Secure Network Connectivity Built-in Firewall Services

Zeroization Procedures Sanitation Procedures Remote Wipe Capabilities

Comprehensive Approach

Secure Embedded

System Partner Ecosystem

Development Process and Tools

Secure Run-Times

§  Third-party certification partners §  Endpoint protection services §  Development process and tools §  Comprehensive hardware vendor

support

§  Regulatory requirements §  Threat assessments §  Design services § White hat services

§ Mentoring and best practices §  Testing, test management, code

analytics, monitoring, and simulation

§  Hypervisor and security appliance platform

§  Android §  Security policy virtualization/

OS/stack capability §  Security certification support

Security Expertise and Analysis

| © 2012 Wind River. All Rights Reserved. 28